CVE-2014-2279

high

Description

Multiple directory traversal vulnerabilities in SeedDMS (formerly LetoDMS and MyDMS) before 4.3.4 allow (1) remote authenticated users with access to the LogManagement functionality to read arbitrary files via a .. (dot dot) in the logname parameter to out/out.LogManagement.php or (2) remote attackers to write to arbitrary files via a .. (dot dot) in the fileId parameter to op/op.AddFile2.php. NOTE: vector 2 can be leveraged to execute arbitrary code by using CVE-2014-2278.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/91831

http://www.securityfocus.com/bid/66256

http://sourceforge.net/p/seeddms/code/ci/master/tree/CHANGELOG

http://packetstormsecurity.com/files/125726

http://osvdb.org/show/osvdb/104466

http://archives.neohapsis.com/archives/bugtraq/2014-03/0101.html

Details

Source: Mitre, NVD

Published: 2014-10-17

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Severity: High

EPSS

EPSS: 0.03863